Analysis and Video | Passwords Are No Longer Enough to Protect Your Privacy

To follow along with a larger video window, click here to watch the video on YouTube.

Whether it’s an easily guessed password or sophisticated phishing attacks, even the most diligent and tech savvy among us can fall victim to hacks that put our important personal information at risk.

Just ask Mat Honan, a tech reporter for Wired magazine who had his entire online life taken over by hackers. An individual initially seeking to gain access to Honan’s Twitter account ended up being able to delete his Google email account and even managed to remotely erase Honan’s iPhone and Macbook just by resetting access to his account passwords. All of this destruction came out of a very low tech call to Apple’s customer service department. Read his article in Wired to see how the hackers did it and how Honan could have better protected himself.

The stakes in these situations get even higher when email accounts with huge amounts of storage keep a record of nearly every personal conversation and financial transaction conducted over the life of that account. And those accounts are also storing emails from friends, co-workers, and business associates who often share some of their private information. Sometimes hackers send email to contacts in a compromised account knowing the recipients may be more likely to share more of their personal information with someone they know. How many of us call to verify a request we might receive from a friend via email?

It’s clear that a single password is no longer enough. Most major online services recognize this and have implemented optional “two factor authentication” security measures that can add an additional layer of security. Honan says implementing one on his Google account would have likely prevented his incident from occurring.

Watch an interview with Honan:

Two factor authentication involves having two means of identifying yourself to the online service: a password, and a frequently changing code number that’s delivered to a mobile phone via text message or is generated in a mobile app. This added layer of security ensures that even if someone has the correct password, they won’t be permitted into the service without being in possession of the mobile phone attached to the account. This works great so long as the mobile phone is functioning and in possession of the user.

Google’s system accounts for the fact that mobile phones can go missing and developed several means of authenticating without one. Users can load additional phone numbers into the account that can either receive a text message or a regular phone call with an authentication number. Users can set individual computers or mobile devices to “trusted” status so they won’t need to go through the two factor authentication check with each login. Google also allows for users to print out a list of one-time use codes that can be used in the case of emergencies. The system issues “application specific” passwords to allow account access from applications like mobile email apps. Those passwords can be revoked at any time and are unique for each application.

If for some reason none of those options are available, a form can be filled out where the company will conduct a thorough determination as to the identity of the person seeking access to the account. That means it could take several days to get back into the account, but setting up the system properly at the outset can prevent that last option from being a necessity. Watch the video above to see how you can implement Google’s authentication system.

Facebook took a similar approach with their multifactor system. Facebook also connects to a mobile phone for authentication via a text message or a code generated from its mobile Facebook app. If the phone goes missing the user can log in from a previously trusted computer or device, but if none of those options are available they’ll need to contact Facebook directly to validate their identity. We’ll post a video soon with instructions on how to implement Facebook’s version of this security feature.

Other services are also jumping on the bandwagon.

Dropbox now utilizes Google’s Authenticator (GA) app to add additional authentication to their popular file sharing service. Users are given an emergency code when first implementing the authentication should a mobile phone get lost or damaged. Like Facebook and Google it also implements a trusted device scheme to allow access to the account from pre-authenticated devices. Password service Lastpass is also making use of GA for its service as an added security layer. It too allows for trusted device access and lets users set up multiple mobile devices for use with the service as backups.

But not everyone is using the strongest means of two factor authentication.

Online payment service Paypal has a two factor system that can use either a cell phone or a separate code generating device that is sold for $29. But users can circumvent the authentication by answering security questions instead, reducing the effectiveness of the system. Yahoo has a text message based authentication system, but it also gives the option of sending codes to alternate email addresses. That’s a problem because if those accounts have been compromised it won’t take much for a hacker to gain access to the Yahoo account even with the added security layer.

While no security system can guarantee an account won’t get hacked, these two factor authentication systems can provide a much needed layer of security against simple password exploits. They do require some configuration and a little extra work at times, but sometimes protecting valuable information is worth a few extra steps.